FWIW I am licensed as a Private Detective in Indiana. I did this primarily because the language for detectives could, if interpreted, cover CF. That said I do not consider myself a Private Detective as I would never perform most of the duties they are trained to perform. For example my skills at tailing a suspect are limited to what I have gleaned from reading Ludlum novels. Conversely, most Private Detectives I have done work for should not be doing CF. They have the training in chain-of-custody, but not computers.
Working the financial side of CF, standardization is what it is all about, hence my suggestion for reporting. Just as in an audit, the tools can be different, more automated, etc. it is just how the results are reported that matters.
David,
And to follow that thread, Harlan's suite of tools and a number of open source Linux tools enable us to do more thorough registry analysis,
If you don't mind me asking what other (Linux) tools do you use for Registry analysis?
Also, the ability to cooperate with analysts from other organizations is important - sharing common tools, procedures, and reports will facilitate this cooperation, and everyone should benefit in the long run.
I, too, would love to see this!
h
Greetings,
Most recently, grokevt (event logs) and reglookup. And I was running your perl tools on OS X, though ran into some issues with one of the CPAN modules not working on OS X, which is why I was using grokevt and reglookup.
-David
David,
Most recently, grokevt (event logs) and reglookup. And I was running your perl tools on OS X, though ran into some issues with one of the CPAN modules not working on OS X, which is why I was using grokevt and reglookup.
Ah, yes…grokEvt…for Event Logs rather than the Registry.
Can you share information regarding the module you mentioned? I ask, b/c sometimes I know folks don't like to share that kind of information…
thanks,
h
Greetings,
I was running into problems with ParseWin32Registry. It was operator error, which you helped me figure out. My hives were corrupted, causing get_timestamp to fail.
-David
?
What do you guys thinking about cybercrime profiling? Do you think profiling can help solve some cases?In what situation would it be applicable?
I want to do a dissertation in the Cybercrime profiling and would appreciate your feed back, thoughts and opinions on the topic, as well as ideas of where I can get more information.
Thanks
?
What do you guys thinking about cybercrime profiling? Do you think profiling can help solve some cases?In what situation would it be applicable?
I want to do a dissertation in the Cybercrime profiling and would appreciate your feed back, thoughts and opinions on the topic, as well as ideas of where I can get more information.
Thanks
Never heard of it! Can you provide an introduction?
What do you guys thinking about cybercrime profiling? Do you think profiling can help solve some cases?In what situation would it be applicable?
I guess the biggest question I have is…what are you talking about? P
But seriously…what are you talking about? Also, who would do this "profiling"? One of the things I've seen that really concerns me is admins and first responders (as well as analysts) thinking that they have enough information to "profile" an attacker…no training, no background in profiling, and just a little bit of information, and suddenly they're able to divine the intentions of an attacker. 99 times out of 100, this takes them down the wrong road.
So…when you say "cybercrime profiling", what are you referring to?
Jonathan
Cybercrime profiling is the process of determining the character, behaviour, or psychological portrait of a suspect/criminal using available information from a crime scene and from the crime itself. Once a profile of the criminal has been established, it can be used to investigate or interview suspects who match the profile.
Keydet89
Well I agree with you that sometimes there is little information to build a profile. How about when there is substancial information, especially when a particular crime is committed more than once in a similar fashion? Could this onformation be enough to establish a profile?
I was thinking of doing research in this area. Anyone with more ideas or comments?
Thanks for your input Keydet89. Jonathan I hope you have a clear understanding of cybercrime profiling
psemenye, a couple of references I can provide you with, with regards to cyber-profiling are the following
Tompsett B.C., Marshall A.M., Semmens N.C. (2005), ‘Cyberprofiling Offender Profiling and Geographical Profiling of Crime on the Internet’, Computer Network Forensic Research Workshop, IEEE/CreateNet SecureCom 2005, 2005, Athens, Greece
Shanmugasundaram, K., Memon, N., Savant, A. & Brannimann, H. (2003), ‘Fornet A distributed forensics network’, MMM-ACNS 2003 pp. 1–16. http//
These should get you started nicely, but of course feel free to contact me for further information with regards to cyberprofiling, as I'm researching the same topic as part of my PhD.
keydet89, a couple of points
Also, who would do this "profiling"?
Profiling methodologies have been used in both Computer Networking and Network Security for quite some time now, with methodologies ranging from using AI (ANNs, Expert Systems, etc.) and Data Mining to Signature analysis to Frequentist/Bayesian inference/forecasting. Thus, given that profiling was never only restricted to DF scientists, I would presume that a lot of people can do it.
One of the things I've seen that really concerns me is admins and first responders (as well as analysts) thinking that they have enough information to "profile" an attacker
Given that a whole number of scientific disciplines (amongst them Computer Networking people and Network Security people) have been using profiling methodologies long before DF scientists, I would assume that they do actually have enough information.
That information is provided by the captured packets for one, the analysis of which can yield enough markers to identify both deviations from norms signifying attacks and, through analysis of the attacks themselves create a profile of an attacker. The level of detail for both attack and attacker profiles depends on a number of factors, which the literature on the topic can possibly provide. Granted that for purposes of a DF investigation and eventual legal action the profiles will need to be much better, which is where knowledge specific to forensic investigators comes into play. However, don't discard the knowledge and expertise of either administrators or first responders/analysts.
…no training, no background in profiling, and just a little bit of information, and suddenly they're able to divine the intentions of an attacker. 99 times out of 100, this takes them down the wrong road.
I believe that is called Intrusion Detection, which is part of the field of Network Security and is by far older than Digital Forensics, with far more research and development put into it, more and more varied methods developed for it, people with a really really heavy computer science and programming background working on it, performance metrics relying on actual and sound scientific methodologies and with detection rates that have a moderately-to-relatively low (worst case) false-positives/false-negatives rate.
DF scientists and investigators simply need extra bits added to the mix in order for the profiles they build of cyber-criminals to be acceptable in a court of law.
Cheers
DarkSYN